Ad fraud

Adware, short for advertising supported software, is arguably the forerunner of the modern day PUP (Potentially Unwanted Program). Adware is typically a standalone program which displays adverts to the end-user in a variety of forms: inside the program itself, or via pop-ups, slide-in adverts, browser pop-ups, inserted adverts, or altered website content. The revenue generated by the adverts is how the program the adware is attached to is paid for, meaning the end-user receives their desired tool or service for “free.” Unfortunately, adware has a history of dubious value propositions, and what is initially offered can often turn out to be a scam or not what the end-user intended.

Browser extensions are computer programs that add functionality to existing browsers. They come in as many kinds (and more) as there are browsers.

Internet Explorer distinguishes between toolbars and browser helper objects (BHOs). Other browsers like Firefox, Chrome, Opera, and Safari call them add-ons or simply extensions.

For PUPs, the economically most interesting browsers are the most popular ones, e.g. Chrome, Firefox, and Internet Explorer.

Browser Helper Objects (BHOs) are add-ons or plugins designed for Microsoft’s Internet Explorer (IE). Designed to enable COM objects to be written that will load with the browser (both IE and Windows Explorer), BHOs were a means to enhance the functionality of the browser. Their first use was to add toolbars to the browser windows.

Although these objects are usually dll files, we have also seen dat and exe files. The unrestricted access that BHOs have by design in IEs Document Object Model make them a powerful tool in the hands of attackers. In the Windows registry, the BHOs are registered by globally unique identifiers called CLSIDs under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. There the CLSIDs are sub-keys that enumerate the BHOs in use on that system.

Commercial keyloggers are applications designed to harvest user interactions with a computer. These interactions include the capture of keystrokes, usernames and passwords, screenshots, collection of images and sound from the microphone/camera, printed documents, browser history, emails, chat logs, and more. Commercial keyloggers are similar to Infostealers in their ability to covertly collect user information, but differ in the fact that these programs can be obtained with a legitimate license through legal means. Commercial keyloggers are often marketed toward concerned spouses/parents who wish to monitor usage of a home PC, corporate IT/security teams maintaining DLP protocols, and auditors checking for conformity to policy.

Commercial keyloggers are often polished applications featuring huge selections of monitoring and stealth capabilities to assist users in maintaining a long-term presence. Due to the low cost and vast availability of these types of applications, commercial keyloggers have long been a preferred choice for criminals seeking a low barrier of entry for identity theft and fraud activities.

A registry cleaner, also known as registry optimizer or registry defragmenter, is a program that claims to clean the computer’s registry in order to optimize the system’s performance. It is usually free.

Many favor downloading, installing, and running this type of program because they swear by the improved capabilities observed after the registry is cleaned. However, researchers claim that this perceived improvement can only be a form of placebo effect.

Toolbars are software extensions that are visible in the GUI of the host program. In the case of PUPs, the host program is usually a browser. The visible part of the toolbar can vary from one extra button added to the browsers own taskbar, to the bar over the full width at the top of the browser window.